Enable Spectre, Meltdown and MDS mitigations installed with Windows Update

Leave a Comment / Security, Sysadmin, Windows, Windows PowerShell / By /

Just installing the updates might not be enough in some cases. Some computers needs registry values and keys created and set to enable the mitigations that Microsoft released for Windows 10.

To smooth out this process I created a simple script for myself that allows you to remotely set the registry keys and values required based on the Microsoft support article recommendations.

The script allows you to either do your own computer using localhost as the computer name or a remote computer if PowerShell Remoting is enabled. This allows you to bulk enable the mitigations.

I am still working on improving the script where needed so see it as a preview that works. I am still a beginner in PowerShell and am learning along the way when tasks need to be accomplished. 

<#
.SYNOPSIS
This script is used to enable an Speculation Control settings on a computer

.DESCRIPTION
This script uses the for Intel recommended registry key settings and sets these on a specified computer using PSRemoting. The Intel recommendations are based on not
disabling Hyper-Threading. 

Requirements for this script to work and the registry key to take effect is an fully up to date client computer. Drivers, Microcode for the CPU, BIOS and Windows.

For the registry keys to take effect the computer needs to be rebooted

.EXAMPLE
This will enable Speculation Control settings on a remote computer
.\Enable-SpeculationControl.ps1 -ComputerName REMOTEPC -Credential Administrator

.EXAMPLE
This will enable Speculation Control settings on a remote computer and restart the computer afterwards
.\Enable-SpeculationControl.ps1 -ComputerName REMOTEPC -Credential Administrator -Restart

.EXAMPLE
This will enable Speculation Control settings on the computer running the script and restart it afterwards
.\Enable-SpeculationControl.ps1 -ComputerName 127.0.0.1 -Credential Administrator -Restart

.EXAMPLE
This will enable Speculation Control settings on the computer running the script
.\Enable-SpeculationControl.ps1 -ComputerName localhost -Credential Administrator

.LINK
https://arstechnica.com/gadgets/2019/05/new-speculative-execution-bug-leaks-data-from-intel-chips-internal-buffers/
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
https://mdsattacks.com/
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv190013
https://perplexity.nl
#>

[CmdletBinding()]
param
(
    [Parameter(Position=0,mandatory=$true)][string]$ComputerName = '127.0.0.1',
    [Parameter(Position=1,mandatory=$true)][System.Management.Automation.PSCredential]$Credential,
    [switch]$Restart
)

Begin 
{
    Write-Verbose "Attempting to create a PowerShell session to $ComputerName"
    $Session = New-PSSession $ComputerName -Credential $Credential

    if (-Not($Session))
    {
        Write-Error "No session is made with the specified computer, please try again"
        Exit
    }

    Write-Verbose "Enabling Speculation Control registry settings on $ComputerName"
    Invoke-Command -Session $Session -ScriptBlock {
        #Commands based on https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
        
        #Intel CPU registry recommendations to enable Windows 10 Speculation mitigations (without disabling Hyper-Threading)

        #Microarchitectural Data Sampling        (CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130) 
        #Spectre                                 (CVE-2017-5753 & CVE-2017-5715)
        #Meltdown                                (CVE-2017-5754)
        #Speculative Store Bypass Disable (SSBD) (CVE-2018-3639)
        #L1 Terminal Fault (L1TF)                (CVE-2018-3615, CVE-2018-3620, and CVE-2018-3646)
        
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f | Out-Null
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f | Out-Null
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" /v MinVmVersionForCpuBasedMitigations /t REG_SZ /d "1.0" /f | Out-Null
    }

    if ($Restart)
    {
        Write-Verbose "Sending restart command to the $ComputerName"
        Invoke-Command -Session $Session -ScriptBlock {  
            Restart-Computer -Force 
        }
    }

    Write-Verbose "Removing used PowerShell session"
    Remove-PSSession $Session
}

Leave a Comment